FRAMINGHAM (10/30/2003) - Mazu Networks Inc. has upgraded its security-analysis platform to help customers find worms and unauthorized behavior that previously might have gone undetected by its gear.
Mazu's Profiler 3.0 software adds three capabilities for detecting suspicious behavior that might warrant intervention to head off or clean up after security breaches.
Profiler consists of an appliance that sits anywhere on a network and gathers data from probes placed on access links to data centers. Software in the appliance analyzes the data to pick out unusual and potentially malicious traffic. Mazu Probes were the only data-gathering device used with previous versions, but Profiler 3.0 can use data gathered by Cisco Systems Inc. routers equipped with Cisco's NetFlow traffic-monitoring software.
One new detection feature in Profiler 3.0 lets customers set rules about allowable network behavior and send alerts to the Mazu management console or any overarching management platform based on Simple Network Management Protocol if they are violated. So if an unauthorized machine attempted to connect with a particular service on a particular server, Profiler would send an alert. Previously, Profiler would send alerts only when it detected behavior it had not seen before, but would not look for pre-specified activity.
Another added feature lets users track applications that use ephemeral Transmission Control Protocol ports - ports that are assigned on the fly by servers, a characteristic of file transfer protocol (FTP) servers. Before, the gear could not keep track of FTP transfers at all because of the fluctuating nature of ports being used, so any abuse of file transfers would go unnoticed, for example.
The software also can detect and send alerts when servers being accessed on a business-partner's network have gone dead. Normally, because these servers are managed by another business, partners would not be informed. But Profiler would note that traffic from the server had stopped altogether and send an alert notifying a customer there was a problem.
Mazu competes against Arbor Networks Inc., Captus Networks Corp. and Riverhead Networks Inc., each with varying degrees of features, says Eric Ogren, an analyst with The Yankee Group. This type of gear can supplement equipment that looks for intrusion signatures by determining what devices are talking to other devices. He says the data gathered also can be used for network capacity planning by monitoring the growth of legitimate traffic on the network.
In addition to new detection features, Profiler now can generate reports that help speed recovery if a network is hit by a worm or some other attack. The software now is integrated with Crystal Reports reporting software and Microsoft's Excel spreadsheets, so data gathered by Mazu probes or Cisco routers can be sorted by these tools to create a variety of additional reports.
Profiler starts at US$65,000, including support for 20,000 hosts, and threat-detection and reporting software. Probes range in price from $14,000 to $60,000 and come in Fast Ethernet and Gigabit Ethernet models. Profiler 3.0 is a free upgrade to current customers with service contracts.